Notice of HIPAA Breach


What Happened?
On July 20, 2022, staff at Spring Grove Hospital Center (Spring Grove) became aware of an individual who listed documents for sale on eBay’s website. According to the eBay listing, these documents were patient records related to persons who were Spring Grove patients between the late 1800’s and around 1920.  

The seller stated they came into possession of the records around twenty years ago (2002) when they entered a building on Spring Grove’s campus without permission and removed the records without authorization.   They further stated the records were removed from an air-sealed vault in the floor.  The building has been closed for patient care since 1979 and is currently condemned.  Its only use since 1979 has been for storage.  

What information was involved?
The records contained patient names, birthdates, treatment dates and clinical information such as diagnosis, treatment and medications.  The records may also have ​contained patient identification numbers and information concerning the patient’s family members.

How did MDH respond?
The Maryland Department of Health (MDH) and Spring Grove were not aware that the records were missing until Spring Grove staff informed MDH of the listing on eBay.  Upon becoming aware, MDH and Spring Grove immediately commenced an investigation on July 25, 2022.  MDH instructed the seller to promptly remove the listings from eBay and to cease with sales. The investigation is ongoing and attempts to retrieve the records from the individuals who completed purchase of the items through eBay are underway.  The seller has cooperated with MDH in the return of the records that remained in their possession and with contacting the purchasers.

How can affected individuals protect themselves?
MDH has been successful in obtaining some of the records and is working to identify any individuals whose rights were protected by HIPAA at the time of the theft.  We are also continuing in our efforts to retrieve the remaining records from the purchasers.  MDH is making this notification in an abundance of caution because at the time of the theft, some of the records stolen may have been protected by the HIPAA Privacy Rule.  Given the timeframe of the creation of the records, it is likely that all the affected individuals have now passed away.  If you or your family members were treated at Spring Grove during the late 1800s through 1920, please contact MDH with any questions you may have.


You can call us at 410-767-6500 or our toll-free number 877-463-3463.  You can also reach us by email at mdh.privacyofficer@maryland.gov